Less than two months ago, WannaCry made the headlines as the most destructive malware in the history. This time the world faces a new virus which uses the functionality of Petya ransomware: Petrwrap. It has already hit many companies and institutions from different countries including Merck, Rosneft, Maersk, Mondelez, causing severe operational disruptions.

How Petrwrap infects computers

The new version of Petya initially arrives in an email. Once it infects a computer, it will try to infect other computers in the same network, automatically. This is possible if those computers are vulnerable to the EternalBlue exploit, the same vulnerability used by WannaCry to spread automatically.

Apart from exploiting the SMB vulnerability, this malware also attempts to use the security context of the currently logged user (it tries to use her credentials) to spread to other accessible machines in the network, even if they are fully patched.

Once the virus starts to execute, it encrypts files of several types found on the machine. Unlike other ransomware, Petrwrap overwrites the content of the original file with encrypted data, without changing the file extension. Also, it doesn’t encrypt image files.

It also attempts to change the Master Boot Record of the system disk and creates a scheduled task that reboots the computer.

After reboot, it launches itself before the operating system. When it has full control of the machine, it will check the whole system (again) and encrypt the files.

Finally, it shows the ransom note. Victims are asked to pay $300 to be able to recover their files.

Once the computer is infected, apparently there is no chance to decrypt the files, and the system will not boot anymore in Windows.

[Update 29-Jun]

The email address associated with the ransom payment is disabled now, so users must not pay the ransom, as they won’t recover their files even if they pay.

The only way to have the machine operational again is to reinstall the operating system and restore the files from a backup image.

How to protect computers from ransomware like Petya

Petya is an advanced ransomware, and the best option to protect against it is to use professional anti-ransomware products that offer MBR protection.

Keeping the operating system up to date is also a must. Users and administrators must turn on Windows auto-update or apply the latest patches through specialized applications.

Apart from patching and using dedicated anti-ransomware products, users must pay special attention to emails containing links or suspect attachments. Examples of such attachments are documents referring to bills, reservations, delivery and so on. Unless the sender is well-known, it’s better to avoid opening documents attached to emails. If an email seems legit and the user opens the attached documents, it is important not to enable document macros or other similar features.

The last resort that can save users when facing a ransomware attack is a functional and secure backup system.

How we can help

First of all, we highly recommend applying the Microsoft patch which eliminates the SMB vulnerability mentioned earlier. Click here to download the patch from the official location.

Secondly, as a permanent solution, we can help keeping ransomware at bay through TEMASOFT Ranstop, our dedicated anti-ransomware software which protects computers from common and zero-day ransomware. Ranstop offers MBR protection, which is particularly effective against ransomware like Petya. It also uses a combination of behavioral detection engine and real-time backup which secures files against malware threats.

In particular, we tested TEMASOFT Ranstop against Petya, and it caught the malware in a few seconds; and no user document was lost.

The vaccine is indeed effective but against this particular variant only. This means that when using the vaccine if you get attacked by exactly the same variant, the attack will fail. Testing the vaccine itself is difficult but by looking at its technical details, it is a sound solution.To better protect against ransomware you need a specialized solution that works for all ransomware variants, not only for particular strains.

Good article, thanks! We will evaluate the advice above.
We have looked for antivirus solutions that protect the MBR but either this feature is not mentioned, or most do not have this kind of protection. Any idea why?

Hi Stan,
Protecting the MBR has not been regarded as a job for antivirus solutions. Such solutions attempt to stop the malicious process immediately before it executes. If this approach succeeds, there is no need for additional protection. The issue is this approach only works for known malware and does not work for zero-day variants.
For best protection, help your antivirus solution with specialized anti-ransomware.